RE: audit 0.6 release

From: Casey Schaufler <casey schaufler-ca com>

To: Linux Audit Discussion <linux-audit redhat com>

Subject: RE: audit 0.6 release

Date: Thu, 6 Jan 2005 16:41:18 -0800 (PST)

--- Leigh Purdie <Leigh Purdie intersectalliance com>
wrote:
> Usually, from a on-system filtering perspective, the
> auditor is
> interested in real user ID only. The other ID's are
> very useful in
> follow-up analysis though.
In C2 and CAPP evaluations I've worked on the
real userid was deemed too volitile to identify
the user who had logged in. Solaris and Irix
maintain a seperate "audit user id" that is set
at login and not changed, even by su.
> > 4. Do you mean the path name "/tmp/foo", or
> the
> > inode 86753 on the root file system? What
> > about symlinks, mount points, and/or pseudo
> > filesystem redirections?
>
> This is where it gets nasty doesn't it. ;)
Yup!
> Snare works this way (bouncing every single file
> open through to the
> audit daemon for resolution, when a user has
> requested file open
> auditing). Not optimal, which is why filtering
> in-kernel may be more
> appropriate - but even so, users have reported
> single-figure-percentage
> reductions in performance when file auditing +
> regexp filtering is used.
Here's food for thought. I'll owe a beer to the
first person who figures out the right answer to
this riddle:
On Irix you can improve compiler performance
by installing the audit module, but leaving it
turned off. How can this be?
=====
Casey Schaufler
casey schaufler-ca com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail